1. 程式人生 > >Liunx 部署郵件TLS/SSL加密通信服務

Liunx 部署郵件TLS/SSL加密通信服務

validity size challenge asi common add ask fix als

部署郵件TLS/SSL加密通信服務


一.部署普通郵件服務器

1) 搭建並檢測郵件服務的發送服務

[root@mail ~]# rpm -q postfix

postfix-2.10.1-6.el7.x86_64

[root@mail ~]# netstat -pantu | grep :25

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1822/master

tcp6 0 0 ::1:25 :::* LISTEN 1822/master

[root@mail ~]# ps -C master

PID TTY TIME CMD

1822 ? 00:00:00 master

[root@mail ~]# vim /etc/postfix/main.cf

[root@mail ~]# sed -n "113p;116p;419p" /etc/postfix/main.cf

inet_interfaces = all

#inet_interfaces = localhost

home_mailbox = Maildir/

[root@mail ~]# systemctl restart postfix.service

[root@mail ~]# useradd jim

[root@mail ~]# echo 654321 | passwd --stdin jim

[root@mail ~]# yum -y install telnet

[root@mail ~]# telnet localhost 25

Trying ::1...

Connected to localhost.

Escape character is '^]'.

220 mail.com.cn ESMTP Postfix

helo localhost

250 mail.com.cn

mail from:root@localhost

250 2.1.0 Ok

rcpt to:jim@localhost

250 2.1.5 Ok

data

354 End data with <CR><LF>.<CR><LF>

XXXXX

XXXX

XXX

XX

X

.

250 2.0.0 Ok: queued as BEDA283BDA92

quit

221 2.0.0 Bye

Connection closed by foreign host.

[root@mail ~]# cat /home/jim/Maildir/new/1515047330.Vfd02I4000083M847601.mail.com.cn

Return-Path: <[email protected]>

X-Original-To: jim@localhost

Delivered-To: [email protected]

Received: from localhost (localhost [IPv6:::1])

by mail.com.cn (Postfix) with SMTP id BEDA283BDA92

for <jim@localhost>; Thu, 4 Jan 2018 01:28:07 -0500 (EST)

Message-Id: <[email protected]>

Date: Thu, 4 Jan 2018 01:28:07 -0500 (EST)

From: [email protected]


XXXXX

XXXX

XXX

XX

X


#可以在發送郵件的時候 抓取發郵件的數據包

[root@mail ~]# tcpdump -i eth0 -A tcp port 25


2)搭建並檢測 郵件服務的收取

[root@mail ~]# yum -y install dovecot

[root@mail ~]# rpm -q dovecot

dovecot-2.2.10-5.el7.x86_64


[root@mail ~]# vim /etc/dovecot/conf.d/10-mail.conf

[root@mail ~]# sed -n '24p' /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:~/Maildir


[root@mail ~]# vim /etc/dovecot/conf.d/10-auth.conf

[root@mail ~]# sed -n '10p' /etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = yes#不禁用明文認證

[root@mail ~]# systemctl start dovecot

[root@mail ~]# netstat -pantu | grep :110

tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 4924/dovecot

tcp6 0 0 :::110 :::* LISTEN 4924/dovecot

[root@mail ~]# netstat -pantu | grep :143

tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 4924/dovecot

tcp6 0 0 :::143 :::* LISTEN 4924/dovecot


[root@mail ~]# telnet localhost 110

Trying ::1...

Connected to localhost.

Escape character is '^]'.

+OK Dovecot ready.

USER jim

+OK

PASS 654321

+OK Logged in.

list

+OK 1 messages:

1 423

.

retr 1

+OK 423 octets

Return-Path: <[email protected]>

X-Original-To: jim@localhost

Delivered-To: [email protected]

Received: from localhost (localhost [IPv6:::1])

by mail.com.cn (Postfix) with SMTP id BEDA283BDA92

for <jim@localhost>; Thu, 4 Jan 2018 01:28:07 -0500 (EST)

Message-Id: <[email protected]>

Date: Thu, 4 Jan 2018 01:28:07 -0500 (EST)

From: [email protected]


XXXXX

XXXX

XXX

XX

X

.

quit

+OK Logging out.

Connection closed by foreign host.


#可以在收取郵件的時候 抓取收郵件的數據包

[root@mail ~]# tcpdump -A -i lo tcp port 110

[root@mail ~]# tcpdump -A -i lo -w /tmp/mail.cap tcp port 110

[root@mail ~]# tcpdump -A -r /tmp/mail.cap | grep user

reading from file /tmp/mail.cap, link-type EN10MB (Ethernet)

.S...R..user jim #這裏可以通過抓包 抓取到郵件的用戶名和密碼 因為當前屬於明文傳輸

[root@mail ~]# tcpdump -A -r /tmp/mail.cap | grep pass

reading from file /tmp/mail.cap, link-type EN10MB (Ethernet)

.S6[.S..pass 654321




二,部署郵件TLS/SSL加密通信服務


1 郵件服務器的配置(192.168.4.2):

[root@mail ~]# systemctl restart postfix

[root@mail ~]# netstat -pantu | grep master

tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 5415/master

tcp6 0 0 :::25 :::* LISTEN 5415/master

[root@mail ~]# systemctl restart dovecot

[root@mail ~]# netstat -pantu | grep dovecot

tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 5446/dovecot

tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 5446/dovecot

tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 5446/dovecot

tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 5446/dovecot

tcp6 0 0 :::110 :::* LISTEN 5446/dovecot

tcp6 0 0 :::143 :::* LISTEN 5446/dovecot

tcp6 0 0 :::993 :::* LISTEN 5446/dovecot

tcp6 0 0 :::995 :::* LISTEN 5446/dovecot


2 創建私鑰文件:生成證書請求文件 mail.key

[root@mail ~]# cd /etc/pki/tls/private/#默認搜索私鑰目錄

[root@mail private]# openssl genrsa 2048 > mail.key#執行生成私鑰命令



3 創建證書請求文件mail.csr

-req 請求

-new 新文件

-key 私鑰

[root@mail private]# openssl req -new -key mail.key > ~/mail.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN#與CA服務器 match 匹配策略 必須一樣

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:Xuenqlve

Organizational Unit Name (eg, section) []:ope

Common Name (eg, your name or your server's hostname) []:mail#設置為服務域名或者主機名

Email Address []:[email protected]


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


5 上傳證書請求文件給CA服務器(192.168.4.1)

[root@mail ~]# scp ~/mail.csr 192.168.4.1:/tmp


CA服務器的配置(192.168.4.1):

CA服務器具體配置 http://blog.51cto.com/13558754/2057718

6 審核證書請求文件,並簽發數字證書

[root@CA certs]# openssl ca -in /tmp/mail.csr > mail.crt

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Jan 5 04:52:52 2018 GMT

Not After : Jan 5 04:52:52 2019 GMT

Subject:

countryName = CN

stateOrProvinceName = beijing

organizationName = Xuenqlve

organizationalUnitName = ope

commonName = mail

emailAddress = [email protected]

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

1E:C8:F7:FA:7D:F7:9F:7B:00:03:DC:3B:60:CB:A2:8F:C0:16:04:D1

X509v3 Authority Key Identifier:

keyid:87:06:18:98:79:53:0E:26:0A:91:2D:B9:93:8A:C3:86:2B:CC:DF:E7


Certificate is to be certified until Jan 5 04:52:52 2019 GMT (365 days)

Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated


註意:審核證書請求文件 報如下的錯誤時:

error while loading serial number

執行如下操作

[root@CA CA]# echo 01 > serial


[root@CA certs]# cat ../index.txt

V190105045252Z01unknown/C=CN/ST=beijing/O=Xuenqlve/OU=ope/CN=mail/[email protected]

[root@CA certs]# cat ../serial

02


7 下發證書給郵件服務器(192.168.4.2)

[root@CA certs]# scp mail.crt 192.168.4.2:/root/




8 配置服務運行時調用私鑰文件 數字證書文件

8.1 配置發郵件服務

[root@mail ~]# vim /etc/postfix/main.cf

添加如下配置

[root@mail ~]# tail -4 /etc/postfix/main.cf

smtpd_use_tls = yes

#smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/pki/tls/private/mail.key

smtpd_tls_cert_file = /etc/pki/tls/certs/mail.crt

[root@mail ~]# cp /root/mail.crt /etc/pki/tls/certs/

[root@mail ~]# systemctl restart postfix.service

[root@mail ~]# netstat -pantu | grep master

tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 6461/master

tcp6 0 0 :::25 :::* LISTEN 6461/master

8.2 配置收郵件服務

[root@mail ~]# vim /etc/dovecot/conf.d/10-ssl.conf

添加如下配置

[root@mail ~]# sed -n '14p;15p' /etc/dovecot/conf.d/10-ssl.conf

ssl_cert = </etc/pki/dovecot/certs/mail.crt

ssl_key = </etc/pki/dovecot/private/mail.key

[root@mail ~]# cp /etc/pki/tls/private/mail.key /etc/pki/dovecot/private/mail.key

[root@mail ~]# cp /root/mail.crt /etc/pki/dovecot/certs/mail.crt

[root@mail ~]# systemctl restart dovecot.service

[root@mail ~]# netstat -pantu | grep dovecot

tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 6517/dovecot

tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 6517/dovecot

tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 6517/dovecot

tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 6517/dovecot

tcp6 0 0 :::110 :::* LISTEN 6517/dovecot

tcp6 0 0 :::143 :::* LISTEN 6517/dovecot

tcp6 0 0 :::993 :::* LISTEN 6517/dovecot

tcp6 0 0 :::995 :::* LISTEN 6517/dovecot


三.客戶端在軟件裏設置連接郵件服務器時 是否加密協議

使用客戶端軟件時將郵件傳輸方式設置為ssl

傳輸的數據就會進行加密


Liunx 部署郵件TLS/SSL加密通信服務